IETF Logo Mail Archive

[Cfrg] randomness improvements via DHE/ECDHE, was: [Re: I-D Action: draft-irtf-cfrg-randomness-improvements-01.txt]

Jason Cooper <cfrg@lakedaemon.net> Tue, 03 July 2018 13:38 UTC

Return-Path: <cfrg@lakedaemon.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8AE9E130E0A for <cfrg@ietfa.amsl.com>; Tue, 3 Jul 2018 06:38:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.791
X-Spam-Level:
X-Spam-Status: No, score=-1.791 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: invalid data)" header.d=lakedaemon.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f8eizjTWBh6X for <cfrg@ietfa.amsl.com>; Tue, 3 Jul 2018 06:38:37 -0700 (PDT)
Received: from outbound1a.ore.mailhop.org (outbound1a.ore.mailhop.org [54.213.22.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49A9B130DED for <cfrg@ietf.org>; Tue, 3 Jul 2018 06:38:37 -0700 (PDT)
X-MHO-RoutePath: amFjMjk5NzkyNDU4
X-MHO-User: 617cc00a-7ec6-11e8-8837-614b7c574d04
X-Report-Abuse-To: https://support.duocircle.com/support/solutions/articles/5000540958-duocircle-standard-smtp-abuse-information
X-Originating-IP: 108.39.81.162
X-Mail-Handler: DuoCircle Outbound SMTP
Received: from io (unknown [108.39.81.162]) by outbound1.ore.mailhop.org (Halon) with ESMTPSA id 617cc00a-7ec6-11e8-8837-614b7c574d04; Tue, 03 Jul 2018 13:38:35 +0000 (UTC)
Received: from io.lakedaemon.net (localhost [127.0.0.1]) by io (Postfix) with ESMTP id 3C78580018; Tue, 3 Jul 2018 13:38:33 +0000 (UTC)
X-DKIM: OpenDKIM Filter v2.6.8 io 3C78580018
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lakedaemon.net; s=mail; t=1530625113; bh=sILJMO9tBNuCLrQfIL327Gnyb/ij6/kcleQRxvyqLCI=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=nHl7PSZaEJ0zamfUeH8AOMyYY74OZGD8WVsN/sRthxQ4Jqu8UcZOZKW8MTQzUVjwg oeRcebdVnQLPYS2mOz56vL3qZEHogYl8cBv9yhnX30SIO3gpq4/v7UVIDIf2Ble2mV caIPM/OX4KBmtjYLMpgZiOr3Cfhcx0CM4fh3XL88AwDSegxhywjxbS/YTLHGRcbJ// imnwUS7nkEASKJupC4+UUFC/BgV6YVFrnbnYgi9a3nwkxCJUnI9aTsUBazfNxpl4Ll o4XtZ52SEecVOEPjJPELRar/Jj9+LC/xubqJyLhDn5NugZRevwT+gNXrABzKUQaUPt oCrpC1O5hqMbA==
Date: Tue, 03 Jul 2018 13:38:32 +0000
From: Jason Cooper <cfrg@lakedaemon.net>
To: internet-drafts@ietf.org
Cc: i-d-announce@ietf.org, cfrg@ietf.org
Message-ID: <20180703133832.GG26205@io.lakedaemon.net>
References: <153057074266.16504.3005107465775487514@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <153057074266.16504.3005107465775487514@ietfa.amsl.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/s9rPORPdSM4euRwLD3wmuR2VN6A>
Subject: [Cfrg] randomness improvements via DHE/ECDHE, was: [Re: I-D Action: draft-irtf-cfrg-randomness-improvements-01.txt]
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jul 2018 13:38:39 -0000

All,

On Mon, Jul 02, 2018 at 03:32:22PM -0700, internet-drafts@ietf.org wrote:
> 
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Crypto Forum RG of the IRTF.
> 
>         Title           : Randomness Improvements for Security Protocols
>         Authors         : Cas Cremers
>                           Luke Garratt
>                           Stanislav Smyshlyaev
>                           Nick Sullivan
>                           Christopher A. Wood
> 	Filename        : draft-irtf-cfrg-randomness-improvements-01.txt
> 	Pages           : 7
> 	Date            : 2018-07-02
> 
> Abstract:
>    Randomness is a crucial ingredient for TLS and related security
>    protocols.  Weak or predictable "cryptographically-strong"
>    pseudorandom number generators (CSPRNGs) can be abused or exploited
>    for malicious purposes.  The Dual EC random number backdoor and
>    Debian bugs are relevant examples of this problem.  This document
>    describes a way for security protocol participants to mix their long-
>    term private key into the entropy pool(s) from which random values
>    are derived.  This augments and improves randomness from broken or
>    otherwise subverted CSPRNGs.

As an engineer working with embedded / constrained systems, it's
refreshing to see this work.  Thanks!

I've not had the opportunity to contribute an RFC before, so I'm
unfamiliar with the process.  I'm interested in doing an extension /
follow-on to this RFC that would use ephemeral shared secrets derived
from DHE or ECDHE.

The scenario being: a constrained device, on first boot, empty entropy
pool.  It uses it's long-term private key to seed the pool as you've
outlined.

Then, to strengthen the pool, it does DHE/ECDHE negotiations with
multiple peers on it's local network.  The ephemeral shared secret from
each of those negotiations is then fed into the entropy pool.  How to do
this securely would be the bulk of the proposed RFC.

Questions the RFC would address:

 - Zero-credit is a safe default, what is a safe margin to credit the
   entropy pool for each shared-secret contribution, if any?

 - Threat model to mitigate: Network observer gaining info about the
   state of the pool.

 - Threat model to mitigate: One or more (all?) peers independently, in
   concert, or in concert with network observer using their knowledge of
   one or more shared secrets to gleen information about the state of
   the entropy pool.

 - Threat model to mitigate: One or more active attackers using chosen
   private/public ephemeral key pairs to manipulate the state of the
   entropy pool.  Possibly by flooding.  This could be limited to the
   number of connections initiated by the client desiring seeding
   material.  Resilience to this threat model would enable servers
   (connection receivers) to take advantage of this source as well.

 - Can this proposed RFC be relied on to 'X' security level independent
   of the long-term private key seeding RFC?  In other words, can it
   provide *any* security if it's the sole seeder of an entropy pool?

Is this a sane idea?  I'm leary of the fact that two parties know the
shared secret (by design), but I think it has good potential at least as
one of many seed sources to a pool.  At a minimum as a non-credit
"stirring" of an existing pool.

Any thoughts or insights would be much appreciated.

Thanks,

Jason.

v2.23.0 | Report a Bug | By Email